PCI Service Providers Levels 1 and 2 Compliance Requirements 

For purposes of PCI DSS compliance, service providers are often seen as “… companies that provide services that control or could impact the security of cardholder data…”.  That’s quite a generalized statement, and one that’s created much discussion as to what a service provider truly is, but more important, what are their respective compliance requirements.  In simpler terms – and for an ounce of clarity – service providers are organizations that have a credible relationship or “nexus” with cardholder data.

Companies such as data centers, managed services providers, Software as a Service (SaaS) entities – and others – are looked upon in the world of PCI as service providers.  While they may not be directly involved in storage, processing, and/or transmitting of cardholder data, their affiliation or “nexus” with it is enough to identify them as such.

Listed below are the Service Provider levels, criteria, and related validation requirements for VISA and MasterCard. Though there are technically three (3) other major payment brands (AMEX, Discover, and JCB), compliance with the two (2) noted brands generally covers the others:

Service Provider Level: 1

•    Service Provider Criteria for VISA: VisaNet processors or any service provider that stores, processes and/or transmits over 300,000 Visa transactions annually.
•    Validation Requirements for VISA: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) also commonly known as an onsite assessment.  (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form
•    Service Provider Criteria for MasterCard: All DSE’s that store, transmit, or process greater than 300,000 total combined MasterCard and Maestro transactions annually.
•    Validation Requirements for MasterCard: (1). Annual Report on Compliance (“ROC”) by Qualified Security Assessor (“QSA”) also commonly known as an onsite assessment.  (2). Quarterly network scan by Approved Scan Vendor (“ASV”). (3). Attestation of Compliance Form

Service Provider Level: 2

•    Service Provider Criteria for VISA: Any service provider that stores, processes and/or transmits less than 300,000 Visa transactions annually.
•    Validation Requirements for VISA: (1). (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.
•    Service Provider Criteria for MasterCard: (1). Includes all DSE’s that store, transmit, or process less than 300,000 total combined MasterCard and Maestro transactions annually.
•    Validation Requirements for MasterCard: (1). Annual Self-Assessment Questionnaire (“SAQ”). (2). Quarterly network scan by ASV. (3). Attestation of Compliance Form.

Policies and Procedures are a Must for PCI Compliance –  Download Now

Unlike merchants and the four (4) different levels of criteria, service providers only have two (2) levels – Level 1 and Level 2.  Level 1 service providers require an onsite assessment by Qualified Security Assessor (QSA), while Level 2 service providers require an annual self-assessment with SAQ -D.  pcipolicyportal.com has the following documented policies and procedures for both levels and corresponding requirements:

•    Download Self-Assessment Questionnaire (SAQ) policies and procedures for Service Providers.
•    Download Level 1 Onsite Assessments policies and procedures.

Level 1 Onsite Assessments – A Requirement for Service Providers

Many service providers are being required to undergo an actual Level 1 onsite assessment, regardless of their applicable level for which they fall under.  This is due to many factors, but most notably client demands for QSA assessments, along with acquirers and other notable entities requiring them. Because the transaction level for service providers is becoming irrelevant (after all, many, if not all, don’t process cardholder data), the default requirement is now being seen as a Level 1 onsite assessment by a QSA.

Offering Policies for Merchants Also for SAQ – Download Today

Learn more about the PCI certification process for the Self-Assessment Questionnaires (SAQ A – D), and the PCI certification process for Level 1 onsite assessments by a QSA and the importance of PCI compliance policies, procedures, and templates for compliance by visiting pcipolicyportal.com.  Furthermore, pcipolicyportal.com also offers policy and procedure writing services for organizations seeking a highly customized set of PCI policies and procedures, along with offering an initial no-cost consultation.  Contact us today at pci@pcipolicyportal.com, or call us at 424-274-1952 to learn more.

Get A Free Quote